Privacy Policy

NewsCord is operated by Nima Akram (sole trader, United Kingdom), trading as NewsCord. For the purposes of UK GDPR, NewsCord is the data controller for any personal data you give us through this website,newscord.org, the NewsCord mobile app, and the NewsCord browser extension.

You can reach us at [email protected] for any privacy question or rights request. There is no separate Data Protection Officer because we are below the size threshold that requires one; the same inbox is read by the responsible person.

We only collect personal data that you choose to give us, at the point we collect it. We never combine data sets across channels to build a profile of you, and we never share data with advertisers.

• Action campaign submissions. Name, email address, and, where the campaign requires it, postcode, full postal address (BBC complaints), title, residence, nationality, or citizenship status. See Action campaigns for the full picture.
• Newsletter / campaign updates opt-in. If you tick “keep me updated” on a campaign form, we store your email address and the campaigns you opted into.
• Browser extension. When you actively use the “Is the article you’re on complaint worthy?” feature, we record the article URL and the reason you gave. Nothing else. See Browser extension.
• Anonymised analytics. Microsoft Clarity runs in cookieless mode. It tells us how visitors move through the site in aggregate. It does not identify you, does not set tracking cookies, and is never combined with action campaign data.
• Theme preference. Your light or dark mode choice is saved in your own browser via localStorage. It never leaves your device.
• Anonymised participation log. When a campaign submission succeeds we record one row in our internal campaign_participation table so we can answer “how many unique people took part in this campaign”. By default the row stores only a peppered SHA-256 hash of your email address, never the plaintext. We could not reverse this hash to your email from a database dump alone because the pepper lives in Google Secret Manager. If you ticked “keep me updated on this and future NewsCord campaigns”, your plaintext email and name are also stored on the same row, so we can show you which past campaigns you have taken part in. Untick that box and only the hash is kept.

Every action campaign at /action/<campaign> processes personal data on your behalf. Before you submit, the form shows you a consent box that lists every recipient and links to that recipient’s own privacy policy. You must tick the box to proceed. By ticking it, you give us UK GDPR Article 6(1)(a) explicit consent for that submission.

The flow for every campaign:

1. You enter the personal details the campaign needs (name, email, and any campaign-specific extras such as postcode or postal address).
2. We email you a six-digit verification code so we can be sure the submission is actually from you. The code is stored for a few minutes, then destroyed.
3. Where the campaign uses our “preview & edit” flow (e.g. IPSO complaints), we generate a personalised letter, store it in a Supabase row for up to 15 minutes so you can edit it, and delete that row the moment you confirm send.
4. We submit your letter, in your name, to the recipients you selected. Each recipient receives your name, email, and the body of the letter. Some receive additional fields (postcode for Ofcom, postal address for the BBC).
5. You receive a copy of every personalised email at the address you provided, so you have a record of what was sent in your name.

Each recipient processes your data under their own privacy policy, not ours. Once your submission has reached them, you have to use their channels to ask them to access, correct, or delete it. We link to each policy in the consent box and in Who we share data with below.

What we do not do: we do not retain your campaign letter once it has been sent (other than the audit log entry described in Retention). We do not use your details to contact you again unless you opted into campaign updates. We do not sell, rent or syndicate your data.

The NewsCord browser extension only collects information when you explicitly use the “Is the article you’re on complaint worthy?” feature. We do not track your browsing history, collect personal information, or monitor your online activities. When you submit a complaint through the extension we record the reason you gave and the article URL, nothing else. The extension operates locally on your device and only communicates with our servers when you actively choose to use its features.

NewsCord runs without behavioural advertising. We do not load advertising cookies and we do not embed third-party ad-tech.

We use Microsoft Clarity for product analytics in cookieless mode, which means no tracking cookies are written to your browser. Clarity tells us how visitors move through the site in aggregate. The data is anonymised and never combined with action-campaign data.

The only thing stored on your device by NewsCord directly is your theme preference (light or dark mode), kept in localStorage so the site remembers it next visit. It never leaves your device.

You can clear or block cookies at any time through your browser settings. Doing so will not break the site.

Under UK GDPR Article 6 we rely on the following lawful bases:

• Article 6(1)(a) — Consent. For every action campaign submission. You give consent by ticking the data-protection box above the “Continue” button on the campaign form. The consent is specific to that submission and that recipient list. You can withdraw consent for emails about future submissions at any time, though we cannot recall an email already delivered to a third party.
• Article 6(1)(a) — Consent. For the newsletter / campaign updates opt-in. You can unsubscribe at any time using the link in every email.
• Article 6(1)(f) — Legitimate interests. For cookieless website analytics that help us understand how the site is used and improve it. We’ve carried out a legitimate interests assessment and concluded that this minimal, anonymised processing does not override the interests, rights, or freedoms of users.

We do not process special-category data (such as data revealing political opinions). While our action campaigns concern matters of public interest, the personal data you submit (name, contact details, postcode) is not in itself special-category data.

The recipients of your action campaign submission are always listed by name on the campaign page and inside the “Find out more” expandable on the consent box before you submit. Each is its own data controller and processes the data under its own privacy policy:

• IPSO (Independent Press Standards Organisation) — receives the letter body, your name, and your email when you file a complaint against an IPSO-regulated publisher. IPSO privacy policy.
• BBC Complaints — receives the letter body, name, email, and the postal-address fields the BBC Complaints API requires. The BBC will email you a verification link; the complaint only becomes official once you click it. BBC privacy notice.
• Ofcom — receives the letter body, name, email, and UK postcode when you file an Ofcom Broadcasting Code complaint. Ofcom privacy policy.
• Your Member of Parliament — for MP campaigns, we look up your MP via members.parliament.uk using the postcode you supply, and email the letter to their published constituency inbox. Your name and email are in the From header so they can reply to you.
• Foreign ministries and embassies — for diplomatic campaigns (e.g. release of Palestinian hostages, Global Sumud Flotilla), the letter is emailed to the published inbox of each country’s foreign ministry and / or that country’s embassy. Each ministry processes inbound correspondence under its own data-protection regime.
• Newsroom editorial teams and NGOs — where a campaign sends letters directly to editorial inboxes or NGO desks, your name and email appear in the From header so the recipient can reply.

We use the following third-party services to run NewsCord. They process personal data on our instructions under written data-processing terms:

• Mailgun (Sinch Email) — delivers outbound email (verification codes, campaign letters on your behalf, newsletter messages). Delivery metadata may be retained briefly by Mailgun for deliverability and bounce handling. Mailgun privacy policy.
• Supabase — primary database (EU region) for campaign counters, the preview-and-edit session store, the newsletter opt-in list, and authenticated admin records. Supabase privacy policy.
• Google Cloud Functions and Google Cloud Storage — the serverless platform that hosts our backend, and short-lived storage for generated email previews. Google Cloud DPA.
• OpenAI — generates the personalised wording of your campaign letter from your inputs. We send only the data you supplied for that submission, and only the content of the letter; we have not opted into training-data sharing. OpenAI privacy policy.
• Microsoft Clarity — cookieless website analytics (see Website and cookies). Microsoft privacy statement.
• Vercel — hosts the NewsCord website and serves it from edge locations. Standard request logs may be retained briefly for security and abuse prevention. Vercel privacy policy.
• Google OAuth — if you choose to sign in with Google we receive your email address and full name so we can map your saved preferences. Used only for that purpose, never shared. Google privacy policy.

Some of our processors are located outside the United Kingdom (notably in the European Economic Area and the United States). Where personal data is transferred outside the UK, we rely on UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses with the relevant processor, as appropriate. Where a campaign letter is sent to a foreign government inbox, that transfer is necessary for the performance of your specific request and is covered by your explicit consent on the campaign form.

• Verification codes: destroyed once successfully verified or after expiry (a few minutes).
• Preview-and-edit campaign sessions (e.g. the IPSO preview flow): deleted from Supabase the moment you click “send”. Any unsent session self-expires after 15 minutes.
• Campaign audit log: we keep a minimal record of which campaign was filed and when (no email body) to support transparency reporting and abuse prevention. Retained for 12 months, then deleted.
• Anonymised participation log (campaign_participation): one peppered hash per (campaign, person) kept indefinitely as part of the public record of the campaign’s reach. For opted-in users the row also carries plaintext email + name; clearing those is part of the right-to-erasure request you can email us at any time.
• Newsletter opt-in list: retained until you unsubscribe. The unsubscribe link in every email is a one-click withdrawal.
• Browser extension complaint records: retained for 12 months for editorial review, then deleted.
• Analytics: Microsoft Clarity rolling window, no personally identifying data stored at our end.

All traffic to newscord.org and to our backend is encrypted in transit (TLS). Database credentials are held in Google Secret Manager and rotated periodically. Access to production data is restricted to the responsible person; we do not have a customer-support team with read-access to your records. We are required to notify the ICO of any qualifying personal-data breach within 72 hours.

Under UK GDPR you have the right to:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your personal data (subject to legal exceptions).
• Restriction — ask us to limit our processing while we resolve a request.
• Portability — ask for the data you have given us in a structured, commonly used, machine-readable format.
• Object — object to processing carried out under legitimate interests.
• Withdraw consent — for any processing that relies on consent, at any time. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew it.
• Complain to the ICO — at any time, without going through us first. Make a complaint to the ICO.

To exercise any of these rights, email [email protected]. We aim to respond within one month, in line with UK GDPR. For action campaign submissions already sent to a third party (regulator, MP, foreign office), we will help you identify the right channel to use with that party.

We update this policy when something material changes about what we collect, how we use it, or who we share it with. The “Last updated” date at the top of this page reflects the most recent revision. Significant changes are also flagged in our campaign update newsletter for opted-in users.

For any privacy question, rights request, or concern about this policy, email [email protected]. If you are not satisfied with our response, you can complain to the UK Information Commissioner’s Office at any time: ico.org.uk/make-a-complaint.